Event Log Query
A while ago I noticed these entries in the Hub Event Log.
At the time there were no active PC's powered on. What does the entry "[CWMP] Connection Request NOT ALLOWED." indicate? It appears that a warm reset was trigered.
Who was Lua user in "SYSTEM reboot by Lua user"?
00:00:29 1 Jan WIRELESS interface turned on.
00:00:27 1 Jan usbmgr: start 0.4.8
00:00:19 1 Jan KERNEL Warm restart
04:16:34 7 Dec KERNEL Controlled restart
04:16:34 7 Dec SYSTEM timed reboot triggered by timeout
04:16:24 7 Dec FIREWALL event (1 of 37): created rules
04:16:24 7 Dec PPP link down (Internet) [86.130.16.75]
04:16:18 7 Dec FIREWALL replay check (1 of 1): Protocol: ICMP Src ip: 86.130.16.75 Dst ip: 62.239.169.176 Type: Destination Unreachable Code: Port Unreacheable
04:16:18 7 Dec VOIP: [2.0A] [***********] [FXS DECT1 DECT2 DECT3 DECT4 DECT5] REGISTER - SIP message sent
04:16:17 7 Dec DHCS server went down
04:16:17 7 Dec FIREWALL event (1 of 7): deleted rules
04:16:15 7 Dec SYSTEM reboot by Lua user
04:16:15 7 Dec CONFIGURATION saved by TR69
04:15:44 7 Dec [CWMP] Connection Request NOT ALLOWED.
Peter
CWMP is BTs remote configuration system which is used to change certain settings within the home hub, for some reason it forced a restart.
It may be worth resetting the home hub to factory default, as the configuration may be corrupted.
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.
Similar Messages
-
HH3a Open WiFi entries in event log query - conne...
Here are the entries since 25 Sept. I know that these are probably persons unknown accessing the BTWiFi/FON signal ( I haven't used it) I am surprised at the sudden jump in frequency but am concerned at the length the connections can be open as some clearly exceed the 2 hours cut off limit eg the latest entry exceeds the 2 hrs , on 20 Nov up @ 7.57 and down @11.56 and on the 19th up @12.18 and down @21.26 plus the up @ 05.24 but not down.
I appreciate that these have no impact on my usage - unlimited anyway- but it just seems wrong to have the connections open for the length of time that they can be.
Can anyone shed any light on why at all?CWMP is BTs remote configuration system which is used to change certain settings within the home hub, for some reason it forced a restart.
It may be worth resetting the home hub to factory default, as the configuration may be corrupted.
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones. -
"Event Viewer cannot open the event Log or Custom view. Verify that the Event log service is running or query is too long. The instance name passed was not recognized as valid by a WMI data provider(4201)"
This error keeps cropping up now and again on most of our domain controllers (OS-2008 AND 2008R2)...Usually a restart fixes the issue however the issue repeats and security logs don't generate.
Any advice on how to fix this issue permanently would be greatly appreciated.Please see this: https://social.technet.microsoft.com/Forums/windows/en-US/95987ca3-a1b2-4da6-95b7-d825d06cdac7/error-code-4201-the-instance-name-passed-was-not-recognized-as-valid-by-a-wmi-data-provider?forum=w7itprosecurity
You can also try rebuilding the WMI repository: http://blogs.technet.com/b/askperf/archive/2009/04/13/wmi-rebuilding-the-wmi-repository.aspx
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
[UNSOLVED] Event Log Custom XML Query Filtering Help
I've looked at a few different posts but I must be missing something because what I'm constructing isn't working.
Here's the XML code of an example event:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="ERAS WCF" />
<EventID Qualifiers="0">0</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-07-09T20:32:51.000000000Z" />
<EventRecordID>899070</EventRecordID>
<Channel>Application</Channel>
<Computer>server.f.q.d.n</Computer>
<Security />
</System>
- <EventData>
<Data>User [email protected] has submitted 'Get BIOS Information' operation from servername to computername.f.q.d.n.</Data>
</EventData>
</Event>
This is my query:
<QueryList>
<Query Id="0">
<Select Path="Application">*[EventData[Data and (Data='computername' or Data='ip.add.re.ss')]]</Select>
</Query>
</QueryList>
I always get 0 results, even if I take stabs in the dark:
*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]
*[EventData[Data and (Data='*computername*')]]
*[EventData[Data and (Data='%computername%')]]
I used this post as my guide for filtering based on content: http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx
Also:
I hope this is the right place for this question. This said to post in the server
forums, but in
the server forums, it said to post here.
I happen to be doing this on a server, but it could just as easily be a desktop.Hello,
Thanks for posting question to this forum. Since this forum is related with XPath, what I can do is to help you validate your XPath query. With your query, I tested them with my computer, however, all of them could load event record correctly:
Query:*[EventData[Data and (Data='Office12AssertTimer' or Data='6.3.9600.17031')]]
Result:
Query:*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]
Result:
So your XPath query is ok. Do you have a try to use the same query to filter the event log to check if there are records with another computer? I am wondering if there is something wrong with your current computer.
And since the XPath is ok, I would like suggest you posting it to the server forum to see if there are others looking into it.
Regards.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
I would like to use a PowerShell script to check compliance on several systems. What I would like is a script that would: query the events in a specific event log for the last 24 hours, look for a specific event and report back compliant.
Can anyone show me how this could be possible?You can use the Get-EventLog cmdlet as it has a -ComputerName parameter, or you can use Invoke-Command and it's -ComputerName and -ScriptBlock parameter along with Get-EventLog. Invoke-Command is likely faster but will require that you have WinRM/PSRemoting
in place. Here's an example of both, but I also would recommend you look in the gallery, as jrv suggested, since gathering event logs is a topic that comes up often. You should also take a look at the parameters on Get-EventLog so you can determine how you
intend to look for specific events.
http://technet.microsoft.com/en-us/library/hh849834.aspx
$LogName = 'System'
$Computers = 'Computer01','Computer02','Computer03'
$Date = (Get-Date).AddHours(-24)
Get-EventLog -LogName $LogName -ComputerName $Computers -After $Date
$LogName = 'System'
$Computers = 'Computer01','Computer02','Computer03'
$Date = (Get-Date).AddHours(-24)
Invoke-Command -ComputerName $Computers {
Get-EventLog -LogName $args[0] -ComputerName $args[1] -After $args[2]
} -ArgumentList $LogName,$Computers,$Date -
Windows update KB2964444 broke Event Logging Service and SQL Agent Service on Windows Server 2008 R2
I got the following problem:
I discovered that on my Windows Server 2008R2 machine the event logging stopped working on 04/May/2014 at 03:15.
Also, SQL Agent Service won't run
The only change that day was security
update KB2964444 - Security
Update for Internet Explorer 11 for Windows Server 2008 R2for x64-based Systems, that was installed exactly 04/May/2014 at 03:00. Apparently, that's what broke my machine...
When I try to start Windows Event Log via net
start eventlog or via Services
panel, I get an error:
C:\Users\Administrator>net start eventlog
The Windows Event Log service is starting.
The Windows Event Log service could not be started.
A system error has occurred.
System error 2 has occurred.
The system cannot find the file specified.
I tried:
restarted the OS (virtual on the host's VMWare).
re-checked the settings in services menu -they are like in the link.
checked the identity in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog -
the identity is NT
AUTHORITY\LocalService
gave all Authenticated Users full access to C:\Windows\System32\winevt\Logs
ran fc /scannow - Windows Resource Protection did not find any integrity violations.
went to the file %windir%\logs\cbs\cbs.log -
all clean, [SR] Repairing 0 components
EDIT: Uninstalled the recent system updates and rebooted - didn't help
EDIT: Sysinternals Process Monitor results when running start service from services panel (procmon in elevated mode):
filters:
process name is svchost.exe : include
operation contains TCP : exclude
the events captured are:
21:50:33.8105780 svchost.exe 772 Thread Create SUCCESS Thread ID: 6088
21:50:33.8108848 svchost.exe 772 RegOpenKey HKLM SUCCESS Desired Access: Maximum Allowed, Granted Access: Read
21:50:33.8109134 svchost.exe 772 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0
21:50:33.8109302 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\Services REPARSE Desired Access: Read
21:50:33.8109497 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\Services SUCCESS Desired Access: Read
21:50:33.8110051 svchost.exe 772 RegCloseKey HKLM SUCCESS
21:50:33.8110423 svchost.exe 772 RegQueryKey HKLM\System\CurrentControlSet\services SUCCESS Query: HandleTags, HandleTags: 0x0
21:50:33.8110705 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS Desired Access: Read
21:50:33.8110923 svchost.exe 772 RegQueryKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS Query: HandleTags, HandleTags: 0x0
21:50:33.8111257 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\services\eventlog\Parameters SUCCESS Desired Access: Read
21:50:33.8111547 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services SUCCESS
21:50:33.8111752 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS
21:50:33.8111901 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
21:50:33.8112148 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services\eventlog\Parameters SUCCESS
21:50:33.8116552 svchost.exe 772 Thread Exit SUCCESS Thread ID: 6088, User Time: 0.0000000, Kernel Time: 0.0000000
NOTE: previoulsy, for
21:46:31.6130476 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
I also got NAME
NOT FOUND error ,so I created the new string value for the Parameters with
the name ServiceDll and
data %SystemRoot%\System32\wevtsvc.dll (copied
from the upper HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog key)
and this event now is
21:46:31.6130476 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
I also checked for the presence of wevtsvc.dll in
the place and it's there.
Also, I tried to capture all events with path containing 'event' and
got following events firing every several seconds:
21:38:38.9185226 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\Tag NAME NOT FOUND Length: 16
21:38:38.9185513 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\DependOnGroup NAME NOT FOUND Length: 268
21:38:38.9185938 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\Group NAME NOT FOUND Length: 268
Also, I tried to capture all the events containing 'file',
excluding w3wp.exe,
chrome.exe, wmiprvse.exe, wmtoolsd.exe, System and it shows NO attempts to access any file ih the time I try to start
the event logger (if run from cmd - there are several hits by net executable,
not present if run from the panel).
What can be done?Hi,
I don’t found the similar issue, if you have the IE 11 please try to update system automatic or install the MS14-029 update.
The related KB:
MS14-029: Security update for Internet Explorer 11 for systems that do not have update 2919355 (for Windows 8.1 or Windows Server 2012 R2) or update 2929437 (for Windows 7
SP1 or Windows Server 2008 R2 SP1) installed: May 13, 2014
http://support.microsoft.com/kb/2961851/en-us
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
CMD=Ping&log query is taking long time-taken when checked in IIS logs.... Exchange 2010 SP3..
Query regarding the ActiveSync and parameter time-taken from ActiveSync IIS logs.
Here what I see for from the logs.
[email protected] 45.101.90.185 Apple-iPad2C3/1202.410 200 0 0 1501129
443 [email protected] 45.101.90.185 Apple-iPad2C3/1202.410 200
0 0 22105
443 [email protected] 45.101.90.185 Apple-iPad2C3/1202.410 200
0 0 452
443 [email protected] 45.101.90.185 Apple-iPad2C3/1202.410 200
0 0 936
443 [email protected] 45.101.90.185 Apple-iPad2C3/1202.410 200
0 0 656238
In the above log, highlighted are the time-taken and I just want to check what is the ideal time-taken value, some value above should be causing some problem, like the one of the top 1501129 ?
?AND I see its for POST event and CMD=Ping&log query.......
We have Mobile Iron in the environment and we are seeing few timeout errors on MobileIron server and for users intermittently. They usually see below error... However we don't see any end users issues, but just want to get rid of below error. MobileIron guys
are pointing it to time-taken value which is high intermittently.
IOException connection to server [email protected] -- java.io.IOException:
awaitUninterruptibly was stopped by timeout
@BALAHi,
To understand more about the issue, I’d like to confirm the following information:
1. What’s your Exchange 2010 version?
http://support.microsoft.com/kb/2536517/en-us
2. Do you install other software, like SQL, on the same Exchange Server?
3. Change another admin account to access EMS.
Thanks,
Angela Shi
TechNet Community Support -
Script to Export Pervious Day Events Logs to CSV
HI,
I am trying to export all the previous day's application event logs to a CSV file. I found the following script on net. But for this script to work I need to enter in the Event ID's I wont to export. Does anyone have any idea how I can change thsi script
to export all event ID's or have another script that can?
'Description : This script queries the event log for...whatever you want it to! Just set the event 'log name and event ID's!
'Initialization Section
Option Explicit
Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8
Dim objDictionary, objFSO, wshShell, wshNetwork
Dim scriptBaseName, scriptPath, scriptLogPath
Dim ipAddress, macAddress, item, messageType, message
On Error Resume Next
Set objDictionary = NewDictionary
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set wshShell = CreateObject("Wscript.Shell")
Set wshNetwork = CreateObject("Wscript.Network")
scriptBaseName = objFSO.GetBaseName(Wscript.ScriptFullName)
scriptPath = objFSO.GetFile(Wscript.ScriptFullName).ParentFolder.Path
scriptLogPath = scriptPath & "\" & IsoDateString(Now)
If Err.Number <> 0 Then
Wscript.Quit
End If
On Error Goto 0
'Main Processing Section
On Error Resume Next
PromptScriptStart
ProcessScript
If Err.Number <> 0 Then
MsgBox BuildError("Processing Script"), vbCritical, scriptBaseName
Wscript.Quit
End If
PromptScriptEnd
On Error Goto 0
'Functions Processing Section
'Name : ProcessScript -> Primary Function that controls all other script processing.
'Parameters : None ->
'Return : None ->
Function ProcessScript
Dim hostName, logName, startDateTime, endDateTime
Dim events, eventNumbers, i
hostName = wshNetwork.ComputerName
logName = "application"
eventNumbers = Array("1001","1")
startDateTime = DateAdd("n", -21600, Now)
'Query the event log for the eventID's within the specified event log name and date range.
If Not QueryEventLog(events, hostName, logName, eventNumbers, startDateTime) Then
Exit Function
End If
'Log the scripts results to the scripts
For i = 0 To UBound(events)
LogMessage events(i)
Next
End Function
'Name : QueryEventLog -> Primary Function that controls all other script processing.
'Parameters : results -> Input/Output : Variable assigned to an array of results from querying the event log.
' : hostName -> String containing the hostName of the system to query the event log on.
' : logName -> String containing the name of the Event Log to query on the system.
' : eventNumbers -> Array containing the EventID's (eventCode) to search for within the event log.
' : startDateTime -> Date\Time containing the date to finish searching at.
' : minutes -> Integer containing the number of minutes to subtract from the startDate to begin the search.
'Return : QueryEventLog -> Returns True if the event log was successfully queried otherwise returns False.
Function QueryEventLog(results, hostName, logName, eventNumbers, startDateTime)
Dim wmiDateTime, wmi, query, eventItems, eventItem
Dim timeWritten, eventDate, eventTime, description
Dim eventsDict, eventInfo, errorCount, i
QueryEventLog = False
errorCount = 0
If Not IsArray(eventNumbers) Then
eventNumbers = Array(eventNumbers)
End If
'Construct part of the WMI Query to account for searching multiple eventID's
query = "Select * from Win32_NTLogEvent Where Logfile = " & SQ(logName) & " And (EventCode = "
For i = 0 To UBound(eventNumbers)
query = query & SQ(eventNumbers(i)) & " Or EventCode = "
Next
On Error Resume Next
Set eventsDict = NewDictionary
If Err.Number <> 0 Then
LogError "Creating Dictionary Object"
Exit Function
End If
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" & hostName & "\root\cimv2")
If Err.Number <> 0 Then
LogError "Creating WMI Object to connect to " & DQ(hostName)
Exit Function
End If
'Create the "SWbemDateTime" Object for converting WMI Date formats. Supported in Windows Server 2003 & Windows XP.
Set wmiDateTime = CreateObject("WbemScripting.SWbemDateTime")
If Err.Number <> 0 Then
LogError "Creating " & DQ("WbemScripting.SWbemDateTime") & " object"
Exit Function
End If
'Build the WQL query and execute it.
wmiDateTime.SetVarDate startDateTime, True
query = Left(query, InStrRev(query, "'")) & ") And (TimeWritten >= " & SQ(wmiDateTime.Value) & ")"
Set eventItems = wmi.ExecQuery(query)
If Err.Number <> 0 Then
LogError "Executing WMI Query " & DQ(query)
Exit Function
End If
'Convert the property values of Each event found to a comma seperated string and add it to the dictionary.
For Each eventItem In eventItems
Do
timeWritten = ""
eventDate = ""
eventTime = ""
eventInfo = ""
timeWritten = ConvertWMIDateTime(eventItem.TimeWritten)
eventDate = FormatDateTime(timeWritten, vbShortDate)
eventTime = FormatDateTime(timeWritten, vbLongTime)
eventInfo = eventDate &
eventInfo = eventInfo & eventTime & ","
eventInfo = eventInfo & eventItem.SourceName & ","
eventInfo = eventInfo & eventItem.Type & ","
eventInfo = eventInfo & eventItem.Category & ","
eventInfo = eventInfo & eventItem.EventCode & ","
eventInfo = eventInfo & eventItem.User & ","
eventInfo = eventInfo & eventItem.ComputerName & ","
description = eventItem.Message
'Ensure the event description is not blank.
If IsNull(description) Then
description = "The event description cannot be found."
End If
description = Replace(description, vbCrLf, " ")
eventInfo = eventInfo & description
'Check if any errors occurred enumerating the event Information
If Err.Number <> 0 Then
LogError "Enumerating Event Properties from the " & DQ(logName) & " event log on " & DQ(hostName)
errorCount = errorCount + 1
Err.Clear
Exit Do
End If
'Remove all Tabs and spaces.
eventInfo = Trim(Replace(eventInfo, vbTab, " "))
Do While InStr(1, eventInfo, " ", vbTextCompare) <> 0
eventInfo = Replace(eventInfo, " ", " ")
Loop
'Add the Event Information to the Dictionary object if it doesn't exist.
If Not eventsDict.Exists(eventInfo) Then
eventsDict(eventsDict.Count) = eventInfo
End If
Loop Until True
Next
On Error Goto 0
If errorCount <> 0 Then
Exit Function
End If
results = eventsDict.Items
QueryEventLog = True
End Function
'Name : ConvertWMIDateTime -> Converts a WMI Date Time String into a String that can be formatted as a valid Date Time.
'Parameters : wmiDateTimeString -> String containing a WMI Date Time String.
'Return : ConvertWMIDateTime -> Returns a valid Date Time String otherwise returns a Blank String.
Function ConvertWMIDateTime(wmiDateTimeString)
Dim integerValues, i
'Ensure the wmiDateTimeString contains a "+" or "-" character. If it doesn't it is not a valid WMI date time so exit.
If InStr(1, wmiDateTimeString, "+", vbTextCompare) = 0 And _
InStr(1, wmiDateTimeString, "-", vbTextCompare) = 0 Then
ConvertWMIDateTime = ""
Exit Function
End If
'Replace any "." or "+" or "-" characters in the wmiDateTimeString and check each character is a valid integer.
integerValues = Replace(Replace(Replace(wmiDateTimeString, ".", ""), "+", ""), "-", "")
For i = 1 To Len(integerValues)
If Not IsNumeric(Mid(integerValues, i, 1)) Then
ConvertWMIDateTime = ""
Exit Function
End If
Next
'Convert the WMI Date Time string to a String that can be formatted as a valid Date Time value.
ConvertWMIDateTime = CDate(Mid(wmiDateTimeString, 5, 2) & "/" & _
Mid(wmiDateTimeString, 7, 2) & "/" & Left(wmiDateTimeString,
4) & " " & _
Mid(wmiDateTimeString, 9, 2) & ":" & _
Mid(wmiDateTimeString, 11, 2) & ":" & _
Mid(wmiDateTimeString, 13, 2))
End Function
'Name : NewDictionary -> Creates a new dictionary object.
'Parameters : None ->
'Return : NewDictionary -> Returns a dictionary object.
Function NewDictionary
Dim dict
Set dict = CreateObject("scripting.Dictionary")
dict.CompareMode = vbTextCompare
Set NewDictionary = dict
End Function
'Name : SQ -> Places single quotes around a string
'Parameters : stringValue -> String containing the value to place single quotes around
'Return : SQ -> Returns a single quoted string
Function SQ(ByVal stringValue)
If VarType(stringValue) = vbString Then
SQ = "'" & stringValue & "'"
End If
End Function
'Name : DQ -> Place double quotes around a string and replace double quotes
' : -> within the string with pairs of double quotes.
'Parameters : stringValue -> String value to be double quoted
'Return : DQ -> Double quoted string.
Function DQ (ByVal stringValue)
If stringValue <> "" Then
DQ = """" & Replace (stringValue, """", """""") & """"
Else
DQ = """"""
End If
End Function
'Name : IsoDateTimeString -> Generate an ISO date and time string from a date/time value.
'Parameters : dateValue -> Input date/time value.
'Return : IsoDateTimeString -> Date and time parts of the input value in "yyyy-mm-dd hh:mm:ss" format.
Function IsoDateTimeString(dateValue)
IsoDateTimeString = IsoDateString (dateValue) & " " & IsoTimeString (dateValue)
End Function
'Name : IsoDateString -> Generate an ISO date string from a date/time value.
'Parameters : dateValue -> Input date/time value.
'Return : IsoDateString -> Date part of the input value in "yyyy-mm-dd" format.
Function IsoDateString(dateValue)
If IsDate(dateValue) Then
IsoDateString = Right ("000" & Year (dateValue), 4) & "-" & _
Right ( "0" & Month (dateValue), 2) & "-" & _
Right ( "0" & Day (dateValue), 2)
Else
IsoDateString = "0000-00-00"
End If
End Function
'Name : IsoTimeString -> Generate an ISO time string from a date/time value.
'Parameters : dateValue -> Input date/time value.
'Return : IsoTimeString -> Time part of the input value in "hh:mm:ss" format.
Function IsoTimeString(dateValue)
If IsDate(dateValue) Then
IsoTimeString = Right ("0" & Hour (dateValue), 2) & ":" & _
Right ("0" & Minute (dateValue), 2) & ":" & _
Right ("0" & Second (dateValue), 2)
Else
IsoTimeString = "00:00:00"
End If
End Function
'Name : LogMessage -> Writes a message to a log file.
'Parameters : logPath -> String containing the full folder path and file name of the Log file without with file extension.
' : message -> String containing the message to include in the log message.
'Return : None ->
Function LogMessage(message)
If Not LogToCentralFile(scriptLogPath & ".csv", IsoDateTimeString(Now) & "," & message) Then
Exit Function
End If
End Function
'Name : LogError -> Writes an error message to a log file.
'Parameters : logPath -> String containing the full folder path and file name of the Log file without with file extension.
' : message -> String containing a description of the event that caused the error to occur.
'Return : None ->
Function LogError(message)
If Not LogToCentralFile(scriptLogPath & ".err", IsoDateTimeString(Now) & "," & BuildError(message)) Then
Exit Function
End If
End Function
'Name : BuildError -> Builds a string of information relating to the error object.
'Parameters: message -> String containnig the message that relates to the process that caused the error.
'Return : BuildError -> Returns a string relating to error object.
Function BuildError(message)
BuildError = "Error " & Err.Number & " (Hex " & Hex(Err.Number) & ") " & message & ". " & Err.Description
End Function
'Name : LogToCentralFile -> Attempts to Appends information to a central file.
'Parameters : logSpec -> Folder path, file name and extension of the central log file to append to.
' : message -> String to include in the central log file
'Return : LogToCentralFile -> Returns True if Successfull otherwise False.
Function LogToCentralFile(logSpec, message)
Dim attempts, objLogFile
LogToCentralFile = False
'Attempt to append to the central log file up to 10 times, as it may be locked by some other system.
attempts = 0
Do
On Error Resume Next
Set objLogFile = objFSO.OpenTextFile(logSpec, ForAppending, True)
If Err.Number = 0 Then
objLogFile.WriteLine message
objLogFile.Close
LogToCentralFile = True
Exit Function
End If
On Error Goto 0
Randomize
Wscript.sleep 1000 + Rnd * 100
attempts = attempts + 1
Loop Until attempts >= 10
End Function
'Name : PromptScriptStart -> Prompt when script starts.
'Parameters : None
'Return : None
Function PromptScriptStart
MsgBox "Now processing the " & DQ(Wscript.ScriptName) & " script.", vbInformation, scriptBaseName
End Function
'Name : PromptScriptEnd -> Prompt when script has completed.
'Parameters : None
'Return : None
Function PromptScriptEnd
MsgBox "The " & DQ(Wscript.ScriptName) & " script has completed successfully.", vbInformation, scriptBaseName
End Function
ThanksHere is a script that will copy the previous days events and save them to "C:\". The file name be yesterdays date ex "04-18-2010-Events.csv"
Const strComputer = "."
Dim objFSO, objWMIService, colEvents, objEvent, outFile
Dim dtmStartDate, dtmEndDate, DateToCheck, fileDate
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
'change the date form "/" to "-" so it can be used in the file name
fileDate = Replace(Date - 1,"/","-")
Set outFile = objFSO.CreateTextFile("C:\" & fileDate & "-Events.csv",True)
DateToCheck = Date - 1
dtmEndDate.SetVarDate Date, True
dtmStartDate.SetVarDate DateToCheck, True
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where TimeWritten >= '" _
& dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'")
For each objEvent in colEvents
outFile.WriteLine String(100,"-")
outFile.WriteLine "Category = " & objEvent.Category
outFile.WriteLine "ComputerName = " & objEvent.ComputerName
outFile.WriteLine "EventCode = " & objEvent.EventCode
outFile.WriteLine "Message = " & objEvent.Message
outFile.WriteLine "RecordNumber = " & objEvent.RecordNumber
outFile.WriteLine "SourceName = " & objEvent.SourceName
outFile.WriteLine "TimeWritten = " & objEvent.TimeWritten
outFile.WriteLine "Type = " & objEvent.Type
outFile.WriteLine "User = " & objEvent.User
outFile.WriteLine String(100,"-")
Next
outFile.Close
MsgBox "Finished!"
v/r LikeToCode....Mark the best replies as answers. -
Event log entries missing in PoSh but visible in Eventvwr
Hi,
I've noticed the following issue on about 10 out of 2500 computers which run a script on our domain, so its minor, but I'd like to understand why its happening.
When I query the event log using the eventvwr GUI I can filter on event ID 7001 and all the events list fine. However when I run 'get-eventlog -logname system -instanceid 7001' it shows all the events except the last 3 or so most recent ones (which are visible
in the GUI).
I've cross referenced this with an event visible in the GUI that had an EventRecordID of 32029. But when querying this via PowerShell 'get-eventlog -logname system -index 32029' it returns 'no matches found'.
Its a weird problem, because if I was to query to logs in a few hours time after a few more people have logged on/off the computer then the event would show in PowerShell, but the new most recent ones wouldn't.
Is there a caching mechanism at work, and if so how could I disable it? Its interesting that these machines are all built from the same WDS image with the same GPO's applied but only a very small percentage exhibit this issue, all other machines show recent
event logs in PowerShell instantly.
I should also mention that these are all Windows 7 x64 computers.
Any help appreciated.
Thanks,
PhilHi,
Based on my understanding, only some of your computers have this issue. And when use WMI, we could query all of the events, but when use powershell command, some logs are missing.
I would like to know that when we use 'get-eventlog -logname system -instanceid 7001| out-file c:\result.txt', how many logs are there?
What I think it may caused by there are so many logs information, and could not be dispalyed out. We may try some other logs also.
Regards,
Yan Li
TechNet Subscriber Support
If you are
TechNet Subscription
user and have any feedback on our support quality, please send your feedback
here.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Event logs fails to start on Exchange Server 2010
My Exchange server 2010 R2 SP1 Enterprise single server is down. All exchange services fail to start. It appears like the Microsoft Exchange Active Directory Topology service isn't starting which is a dependency for all other services.
The error I get when trying to start this service is:
Windows could not start the Microsoft Exchange Active Directory Topology on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code
-2147024882
To make matters worse, the event viewer is not starting either.
When trying to start the Windows Event Log, I get the error:
Windows could not start the Windows Event Log service on Local Computer. Displays Error code 5
This is running on a Windows Server 2008 R2 SP1 Standard box.
Any assistance is appreciated.When trying to start the Windows Event Log, I get the error:
Windows could not start the Windows Event Log service on Local Computer. Displays Error code 5
Hi,
Based on this error, this problem happens if any of the following conditions are true:
The built-in security group EventLog does not have permissions on the folder %SystemRoot%\System32\winevt\Logs
The Local Service account does not have default permissions on the following registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability
To solve this problem, we need to restore the default permissions in the list below on %SystemRoot%\System32\winevt\logs.
Authenticated user - List folder/read data, Read attributes, Read Extended attributes, Read permissions
Administrators - Full control
SYSTEM - Full control
EventLog - Full control
Please try the following methods:
Method 1
To restore the default permissions on folder %SystemRoot%\System32\winevt\logs, follow these steps.
Right-click on %SystemRoot%\System32\winevt\logs and select Properties.
Select the Security tab.
Click Edit button and click the Add button in the permissions dialog box.
In Select users, computers, or Groups dialog box ensure that under object types Built in Security Principals and the location as local computer name is selected.
Enter the object name as "NT SERVICE\EventLog" without quotes. And click OK. This group should have full control on the folder.
Once EventLog group is added add the rest of the groups with above mentioned permissions.
Method 2
Identify a Windows Server 2008 machine with default permissions.
Click Start, and then type cmd in the Start Search box.
In the search results list, right-click Command Prompt, and then click Run as Administrator.
When you are prompted by User Account Control, click Continue.
Type the command CD %SystemRoot%\SYSTEM32.
Once the working directory is changed to %SystemRoot%\SYSTEM32 type the command icacls winevt\* /save acl /T.
This will save a file named ACL in %SystemRoot%\SYSTEM32. Copy this file to the C: drive on the problem computer.
On the problem computer, open command prompt with administrator privileges (refer to previous steps 1-3).
Change the working directory to %SystemRoot%\SYSTEM32.
Execute the command icacls winevt\ /restore acl.
Default permissions on the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability should be:
CREATOR OWNER - Full control
SYSTEM - Full control
LOCAL SERVICE - Query Value, Set Value, Create Subkey, Notify and Delete
Administrators - Full control
Users - Read
To set the permission on this registry key:
Click the Start menu, select Run and type Regedit.
Go to the location HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability.
From the Edit menu click Permissions.
Add the permissions for the accounts as listed above.
In addition, Exchange 2010 SP1 and SP2 are end of support.
https://support.microsoft.com/en-us/lifecycle/search/default.aspx?alpha=exchange%20server%202010&Filter=FilterNO
Best Regards.
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Lynn-Li
TechNet Community Support -
CSA MC Events Log and Agent Panel Events Corrolation
I have recently install CSA MC 6.0.0.201 and the agent on a Win2003 server. I have a question of events showing up in the agent panel and not showing up in the MC events log.
I see a number of events in the agent 'panel' event viewer. At the end of the event is a number in brackets like [176].
When I look at the MC event viewer but those events are not being reported.
My query is:
#1 I believe the example [176} is the rule being triggered. So if the event is not showing up in the event viewer how to I find that rule in the policies? I finally did stumble across the rule and I see that logging is disabled for that rule, but finding that rule was a needle in the haystack search. Is there an easier way to find rules?
#2 Maybe I do not understand this part but in the MC I placed this server (the one with the MC) into 'Audit Mode' in hopes that would get the events from the agent to show up in the MC event log. No good. Is there a way to get all events - even if the rule says to not log the event - so show up in the MC log so I can creat an exception?
Thanks
LarryTom,
I think I may have made some progress. Yes I'm in advanced mode. I went into Systems | Groups and first selected the 'Servers' and turned on logging. Still most the events in the agent event viewer were not making it to the MC event log.
So I went back in to the Systems | Groups and found there was a group called 'Servers - CSA Management Center' and turned on logging there and that got the events to start flowing into the MC events.
Maybe this will help me get going.
Larry -
Hi all,
I have a frustrating issue with forwarded events log which still empty when I change the location of this one to the D partition rather than the defaut setting C: (it works fine in C:)
once I change the location in the proerties of forwarded events to D: a new log is created but still empty.
Any ideas, please, ThanksHi Justin,
I checked the file key in the registry and I have well the new location set as value (D:\forwardedEvts.evtx)
In the event viewer, on the forwarded events I have this message "event
viewer cannot open the event log or custom view. verify that event log service is running or query is too long. access is denied (5)"
Thanks, -
Login / out history extraction from 2008R2 Event Logs with a PowerShell script?
Hi folks,
I think I'm asking something similar to a few other posts, but instead of hijacking their threads, I thought I'd start my own.
As the subject suggests, I'm trying to extract from a 2008R2 server's Event logs a table of users and their respective login / out events. Not just asking AD for their last login times, but a list of login / out events.
So far, I'm using:
Get-EventLog -logname security -Newest 1000 | where {$_.eventID -eq 4624 -or 4634 }
but the list is long, and contains host authentication connections as well as users. I believe I need something like the ability to filter on "user is domain user", or "user is not a computer", or similar, and then pipe it to Export-CSV,
but the data is not a CSV file, but more like Text. ie:
Index : 87290035
EntryType : SuccessAudit
InstanceId : 5156
Message : The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1688
Application Name: \device\harddiskvolume2\windows\system32\dns.exe
Network Information:
Direction: %%14592
Source Address: 192.168.xx.xx
Source Port: 53
Destination Address: 192.168.xx.xx
Destination Port: 44242
Protocol: 17
Filter Information:
Filter Run-Time ID: 66055
Layer Name: %%14610
Layer Run-Time ID: 44
Category : (12810)
CategoryNumber : 12810
ReplacementStrings : {1688, \device\harddiskvolume2\windows\system32\dns.exe, %%14592, 192.168.xx.xx...}
Source : Microsoft-Windows-Security-Auditing
TimeGenerated : 28/01/2011 4:46:35 PM
TimeWritten : 28/01/2011 4:46:35 PM
UserName :
Why is that even coming up as a result?
Ideally, I would like a CSV file containing these columns:
User,timestamp,computer,logon/off
I've thought about adding a script to the Group Policy where it runs on local machines and appends details to a file on a network share, but I think I would prefer to run this locally, perhaps periodically as a script.
-- Ebor AdministratorThanks Matthew for the links. While I was initially thinking that's looking rather complicated, and my solution was simplistic in comparison, I'm finding (with no surprises, really) that things can get rather complicated quickly. If only parsing was easier
(or if only they didn't use "Here-Strings" instead, using normal Strings... </grumble>), as it's now looking at almost ten lines (mostly for readability).
In short, I'm now looking at:
Get-ADUser -Filter * -SearchBase "OU=Users,OU=Ebor Computing,DC=Ebor,DC=Local" | Sort-Object | ForEach-Object -Process {
$UserName = $_.SamAccountName
$MsgQuery="*" + $UserName + "*"
$EventID = $_.EventID
$Events = Get-EventLog -logname security -Message $MsgQuery | where {$_.EventID -eq 4624 -or $_.EventID -eq 4634} | ForEach-Object -Process {
$SrcAddr = "Unknown"
$idx = $_.message.IndexOf("Source Network Address:")
if ($idx -gt 0) {$SrcAddr = $_.message.substring($idx+23,15).trim()}
$UserName+","+$SrcAddr+","+$EventID+","+$_.TimeGenerated | Out-File -FilePath $UserName"_login_events.csv" -Append
Eeuuw... don't know why that was parsed as it was above... Either way, this takes a very long time, but gives a separate file for each user and goes back the entire length of the Event Log's history for reporting purposes.
Noting that I had to query AD for the users thus has to run from the AD Powershell, instead of the normal PS, as I don't know the appropriate module load command to get a normal PS to work with AD. Keeping this limitation in mind, I think it works, but needs
some tweaking for formatting and output I think.
I'm tempted to create an RODC for this to run on, but what else does the DC do, really? May as well warm up the CPU for an hour or so ;-) I guess one of the improvements could be to determine if the cycles are being taken up with poor String parsing, or
with AD querying. Another would be to add some comments... ;-)
-- Ebor Administrator -
[Server 2008R2] Filter event logs for logged in users from clients on domain
Hi All,
I am looking for a script which can be run on a domain controller to check which user accounts logged in on the domain. I am looking for both the username and client. Reason why I need this is to check where service accounts are used.
Thanks.
Kind regards,
Bart
Bart Timmermans | Consultant at inovativ
Follow me @
My Blog | Linkedin |
Twitter
Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.Hi Bart,
To parse the event log, you can refer to the cmdlet "Get-WinEvent", and how to use this cmdlet to parse event log, please check this article, you can also add the "-computername" to query event log from remote computers:
Use PowerShell Cmdlet to Filter Event Log for Easy Parsing
To monitor the logon history, please check this function to start:
function Get-Win7LogonHistory {
$logons = Get-EventLog Security -AsBaseObject -InstanceId 4624,4647 |
Where-Object { ($_.InstanceId -eq 4647) -or (($_.InstanceId -eq 4624) -and ($_.Message -match "Logon Type:\s+2")) -or (($_.InstanceId -eq 4624) -and ($_.Message -match "Logon Type:\s+10")) }
$poweroffs = Get-EventLog System -AsBaseObject -InstanceId 41
$events = $logons + $poweroffs | Sort-Object TimeGenerated
if ($events) {
foreach($event in $events) {
# Parse logon data from the Event.
if ($event.InstanceId -eq 4624) {
# A user logged on.
$action = 'logon'
$event.Message -match "Logon Type:\s+(\d+)" | Out-Null
$logonTypeNum = $matches[1]
# Determine logon type.
if ($logonTypeNum -eq 2) {
$logonType = 'console'
} elseif ($logonTypeNum -eq 10) {
$logonType = 'remote'
} else {
$logonType = 'other'
# Determine user.
if ($event.message -match "New Logon:\s*Security ID:\s*.*\s*Account Name:\s*(\w+)") {
$user = $matches[1]
} else {
$index = $event.index
Write-Warning "Unable to parse Security log Event. Malformed entry? Index: $index"
} elseif ($event.InstanceId -eq 4647) {
# A user logged off.
$action = 'logoff'
$logonType = $null
# Determine user.
if ($event.message -match "Subject:\s*Security ID:\s*.*\s*Account Name:\s*(\w+)") {
$user = $matches[1]
} else {
$index = $event.index
Write-Warning "Unable to parse Security log Event. Malformed entry? Index: $index"
} elseif ($event.InstanceId -eq 41) {
# The computer crashed.
$action = 'logoff'
$logonType = $null
$user = '*'
# As long as we managed to parse the Event, print output.
if ($user) {
$timeStamp = Get-Date $event.TimeGenerated
$output = New-Object -Type PSCustomObject
Add-Member -MemberType NoteProperty -Name 'UserName' -Value $user -InputObject $output
Add-Member -MemberType NoteProperty -Name 'ComputerName' -Value $env:computername -InputObject $output
Add-Member -MemberType NoteProperty -Name 'Action' -Value $action -InputObject $output
Add-Member -MemberType NoteProperty -Name 'LogonType' -Value $logonType -InputObject $output
Add-Member -MemberType NoteProperty -Name 'TimeStamp' -Value $timeStamp -InputObject $output
Write-Output $output
} else {
Write-Host "No recent logon/logoff events."
Get-Win7LogonHistory
Refer to:
https://github.com/pdxcat/Get-LogonHistory/blob/master/Get-LogonHistory.ps1
If there is anything else regarding this issue, please feel free to post back.
If you have any feedback on our support, please click here.
Best Regards,
Anna Wang
TechNet Community Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact
[email protected] -
Does anyone see any familiar issues by just looking at this
default-event.log from the Jrun server? We are running CFMX6.1
updater.
Thanks for your suggestions
EmmanuelYou can review this
thread.
It tells you what is probably going on. However, a simpler method
(then the one Sean mentions) to fix the issue is to simply scope
your variables. Ideally all variables are initialized before they
are called or you use cfparam to initalize them. But you should
always scope the variables, even if they are in the variables scope
so CF does not go searching thru all the scopes (including CGI) as
Sean discusses. So the tops of your pages should be full of:
<cfparam name="variables.foo" type="string"> etc.
This is especially critical on pages that initialize many
variables as with fusebox and other frameworks. If you have dozens
of unscoped cfparam tags on a single page, that page goes
scrambling to find each variable in all the scopes normally
searched. The CGI scope is maintained by the webserver, so CF must
query it. Scope your variables including those in the variables
scope, whenever possible.
Maybe you are looking for
-
Error in Delivery Note -Smartform
Hi, I'm working with Delivery note smartform. I have copied the standard form le_shp_delnote into zle_shp_delnote. When I execute it using VL02N transaction, I am getting the error as ' Output could not be issued'. The form is already configured with
-
Can Leoprrd install on a external USB HD and boot from it.
hi, first post here. I have serveral external usb hd. I wanted to know if i attach one to my aging G4 1 ghz 512 mb mac. Put in Leopard Install disc in my dvd drive, will Leopard install on the external and boot from it. this way I could somehow dual
-
I would like to add a new contact. I have received a new message and would like to add the number to my contacts but it would appear to be impossible. Any suggestions?
-
I am streaming live video (CCTV set up) to iPod Touch. Is it possible to playback info (i.e. using iPod as a DVR?)
-
DBAdapter link missing under Modules
Hi, I have been trying to install the SOADEMO application using SOASuite 10.1.3.1 with OAS 10.1.3.4 patch applied on top. I got stuck while doing the step Configure Oracle SOA Suite(2.2.2) from the quick start guide. 7. Create a database adapter conn